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ABSTRACT 


A gencral description of the Flight Safety 
Prediction Technique, and the documentation 
associated with its specific application to the C-141 


aircraft, are presented. 
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GLOSSARY 


This glossary presents general definitions of terms used inthis report. The 
reader will find certain of these terms defined in somewhat different words in the 
text, depending on the context of the discussion; but the meaning will be consistent 
with the definitions given here. 


Criticality — A numerical index of the significance of equipment failure 
history relative to aircraft safety. As an analysis param- 
eter, it can be considered proportional to the likelihood that { 
an item will fail and thereby cause an accident. It is the j 
product of the failure probability and the sensitivity of an 
equipment item. 


Dependency — See link dependency. , 
FSPT — Flight Safety Prediction Technique , 
Flight Phases — Discrete segments of the aircraft mission profile. For 


present purposes, the flight phases are defined as 1) startup 
and taxi, 2) takeoff, 3) climb, 4) cruise, 5) tactics, 
6) cruise, 7) descend, 8) land, and 9) taxi and shutdown. 


Functional Analysis — The determination of equipment relationships to aircraft 
functions performed, and the interrelationships of these 
functions, 

Functional Link — The simplest form of functional relationship in which one 


function is dependent upon the next lower function. 


Functional Path — The compilation of functional links, in sequence, through 
which a function is identified as being dependent upon another, 


Link Dependency — The conditional probability of a dependent function failing, 
given that a particular function it is dependent upon has failed. 


Provisory Condition -— Operation of an aircraft in a mode or environment such that 
the safety-related importance of certain equipments is 
increased. Provisory conditions include icing, night flight, 
supersonic flight, etc. 


Provisory Factor — The probability that a provisory condition exists, Also used 
to describe the coded notation used to indicate that a functional 
relationship is dependent on a particular provisory condition. 


Safety Sensitivity - Same as "sensitivity". 


Sensitivity — A quantitative indication of the degree of safety degradation 
to be expected if a function or picee of equipment fails. The 
more speeific terms are "functional sensitivity" or "equip- 
ment item sensitivity". 


Sensitivity Path — A particular sequence of functional dependencies (beginning 
at the top level in the hierarchical structure) through which 
a function or piece of equipment derives a sensitivity value. 
Equipment and functional sensitivity values are often 
derived through several such sensitivity paths. 


FOREWORD 


This document is part of a 16-volume report describing the application to 
specific aircraft types of ARINC Research Corporation's Flight Safety Prediction 
Technique (FSPT). The technique was developed under previous Air Force contracts 
(see Appendix A). The present effort, undertaken in 1972 under Contract 09603-72- 
A-1132-SA01, has led to further refinement of the FSPT through its broad application 
to many different tvpes of aircraft. The flight safety models generated for these air- 
craft are presented in individual volumes of this report as follows: 


Volume Aircraft Volume Aircraft 

| 2 T-38 10 B-52G, H 

3 F-111A, FB-111A ll C-130E 

f 4 A-7D 12 KC~135 

5 F-4D, E; and RF-4C 13 C-5A 

6 C-141 14 T-39 

7 A-37 15 F-15 

| 8 0-2 16 UH-1N Helicopter 
| 9 OV-10 


Volume 16 will document the results of a feasibility study of extending the FSiI)T 
to rotary-wing aircraft. 


Volume 1, an overall summary of the contractual effort, will be issued at the 
end of the contract period. 
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l 
INTRODUCTION 


The Flight Safety Prediction Technique developed by ARINC Research 
Corporation provides for assessment of the Impact on fight safety of the failure of 
specific items of equipment within an aircraft, Inthe FSPT, mathematical modeling 
procedures are applied for processing aircraft-equipment failure data te yield a 
quantified index ranking safety-related problems on the basis of their likelihood of 
occurrence and the resulting degradation in the aireraft's capability to fly. 


The ranking factor is called "criticality", which in its simplest form is the 
product of the failure probability and Might-safety sensitivity of an equipment, (A 
more detailed definition appears in Section 2 and Appendix B.) The failure probability 
inputs are from basic failure-data sources, AFM 66-1 and 65-110, The sensitivity 
estimates are derived by the following process: 


a. Systematic analysis of aircraft functions to determine those essential 
to flight safety 


b. Identification of the hardware required to perform these functions 


c. Evaluation of the safety significance of the hardware in performing 
these essential aircraft functions. 


The criticality values resulting from this approach provide a relative ranking of 
all malfunctions with respect to their safety significance, Figure 1-1 {ts a simpliffed 
example of how three equipment items would be ranked on the combined basis of their 
failure probability and safety sensitivity, This figure {llustrates an example tn which 
item A has the highest failure probability, but due to the low sensitivity value ts 
ranked below item B in criticality. 


The methodology has the ability to rank malfunction problems currently and 
continuously by their accident potential. This ranking, based on criticality assess- 
ment, can provide the basic parameters necessary for: 


a. Identifying equipment items whose failure history and application pose 
a threat to aircraft safety 


b. Quantifying the degree of threat associated with cach equipment item 
c. Evaluating and tracking the effectiveness of modifications to the aireratt 
d, Assessing safety benofits versus the cost of proposed aircraft modifica- 


tions, changes in maintenance or flight operations, or alternative aireratt 
designs. 
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Failure Criticality 
Probability Sensitivity 
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CRITICALITY = PxS 
Where P = Probability of failure 


S * Safety sensitivity; the accident exposure 
associated with each failure occurrence 


Figure 1-1. Example of Criticality Ranking Process 
In this report, Section 4 and Appendix D pertain specifically to the C-141 air- 


C-141 data, and the method by which the data were obtained, more meaningful to the 
general reader. 


Section 2 presents an overview of the development and utilization of the Flight 


a safety model for calculating the safety criticality of various equipments of an air- 
craft; and Section 4 describes how the safety model for the C-141 aircraft was 


FSPT; Appendix B discusses mathematical considerations underlying the technique; 
Appendix C discusses FSPT documentation for methods; and Appendix D presents 
functional relationship diagrams for a listing of keypunch cards that comprise the 
safety model documentation for the C-141 aircraft. 


craft. The remainder of the document provides support information that will make the 


Safety Prediction Technique; Section 3 discusses the steps associated with generating 


developed. Appendix A summarizes the contractual history of the development of the 
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2 
METHODOLOGY UNDERLYING FSPT 


This section discusses the basic definitions and mathematical concepts 
associated with the Flight Safcty Prediction Technique. 


2.1 DEFINITION OF SAFE AIRCRAFT 


To develop a relative measure of aircraft safety degradation resulting from 
specific equipment malfunctions, it is first necessary to define a ''safe'' aircraft. For 
purposes of the FSPT assessments, an aircraft is assumed to be in a safe condition if 
it is operating within its prescribed performance limits. Conversely, an aircraft 
operating (or about to operate) outside these limits is considered to be unsafe — in a 
condition where property damage and personal injury may result. 


The safety prediction methodology does not attempt to assess the extent of 
possible personal injury or aircraft damage resulting from an unsafe condition. 
Neither does the concept consider ejection capability, parachutes, life rafts, etc., 
which do not make an aircraft safer per se but provide for the survivability of the air- 
crew when the aircraft is unsafe. Collision is also excluded from consideration 
because of the complexity of the interrelationships between pilot, aircraft equipment, 
ground surveillance, and traffic density. 


2.2 MATHEMATICAL BASIS OF FSPT 
The probability of an accident caused by the failure of an element can be 


expressed as the probability of the element failing multiplied by the conditional prob- 
ability that the failure of the element will cause an accident. Stated in equation form: 


P(A,j) = PUPAL) (1) 


where 


P(.4,j) = Probability of an accident due to failure of just the ith clement* 
P(j) 


P(A|)) 


Probability that element j fails 


Probability of an accident given that the jth clement fails. 
This equation reflects the basic relationships addressed in the FSPT where: 
a. The criticality of the jh element is an estimate of P( 4, )) 


b. The sensitivity of the jt clement is an estimate of P( 4 j) 


*In this and subsequent discussions, unless otherwise stated, expressions such as 


"failure of the jth element" should be interpreted to mean: failure of only the jth 
element, assuming all other elements are not failed. 
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Because an element's effect on safety may depend on the mission phase (sec 
Section 3, 2.1), the above model can be expanded to: 


N 
P(4,j)°= > Pi « POALIW (2) 
1 
where 
N = Number of mission phases 
Pik = Probability that the jth element is failed in the kt) phase 
og 
P(Ali,k) = The jth clement's sensitivity in the kth phase. 


To identify the importance of discrete elements to aircraft safety, a flight 
profile consisting of nine distinct phases was defined, The phases are discussed in 
Section 3.2.1. 


To utilize equation 2, it was necessary to develop a method for obtaining the 
values of P(A|j,k), the probability that a malfunction in element j during mission 
phase k will result in an accident. This method in turn requires the estimation of two 
parameters: the probability of accident if a major function is not available during 
each mission phase, and the dependence of the major function on subfunctions and 
elements during each such phase*. Each function and equipment item thus derives 
its sensitivity value from its relationship to the major function(s) dependent upon it. 


2.3 SENSITIVITY ASSIGNMENTS 


A great deal of information is available on the causes of aircraft accidents, but 
little exists from which to make the sensitivity assignments [P(4 |i)]. These assign- 
ments are therefore largely subjective, based on the analyst's knowledge of the system 
and any information he may have on previous accident history. The sensitivity 
assigments are reviewed (and revised as necessary) by an Air Force/contractor team 
working on a particular model to ensure that consistent criteria have been followed. 
The team review and negotiation of sensitivity assignments is the mechanism by which 
the value becomes sufficiently objective for use with the model. This negotiation con- 
siders all of those top level functions as a group and reassigns sensitivity values as 
necessary to assure that the most objective proportionality is attained for the par- 
ticular aircraft model. The same major-function sensitivity values are used for 
major functions on all aircraft models where configuration and mission profiles 
permit. 


The development of criticality rankings for the various clements (j's) is 
dependent upon the ability to quantify the failure probability [P(j)] and the element 


sensitivity [P(4|j)] for each clement. Since the intent of the concept is to provide a 
relative safety ranking of all malfunctions, it is not necessary to develop absolute 


*For a more detailed discussion of the mathematics of the FSPT, see Appendix B. 
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values for P(.4|j). If the sensitivity values developed are correct relative to each 
other, a proper criticality ranking will be established, It is intended that criticality 
be an index proportional to P(.4,j) and therefore provide the same relative rank 
ordering of elements, The major reasons for proportionality, rather than equality, 
are; 


a, The FSPT does not account for the effect of extraordinary pilot 
intervention to prevent an accident in case of equipment malfunction. 


b. Criticality quantification was limited in its treatment of simultaneous 
occurrence of independent, primary failures. 


c. Operational and malfunction data yield only a proportional estimate of 
the required information. 


While strict proportionality cannot be mathematically proven, it is believed that 
the criticality rankings provide reasonable relative measures of equipment problem 
potential. 
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3 
MODEL DEVELOPMENT 


Figure 3-1 summarizes the approach to the assessment of flight-safety 
criticality of aircraft equipment. The first contractor activity is the identification of 
all functions the aircraft is expected to perform and the determination of their inter- 
relationships. Next, each functional relationship is documented; and then sensitivity 
assignments are made at the major functional levels (below these levels, link 
dependency values are estimated; see discussion, Section 3.2.2). This process is 
carried out until each work unit code associated with a major function has been identi- 
fied with respect to the function performed and dependencies have been estimated. 
Computer processing calculates the safety sensitivity for each work unit coded item, 
combines these values with the operation and failure data input by the Air Force, and 


produces the equipment criticality ranking. 


@ Contractor Input 


AIRCRAFT FUNCTIONAL SENSITIVITY/ 
FUNCTIONAL LINK DEPENDENCY 


ANALYSIS DOCUMENTATION ASS{GNMENT 


COMPUTER EQUIPMENT 
PROCESSING CRITICALITY 


@Air Force Input 


AIRCRAFT 
MALFUNCTION me 
DATA 


OPERATIONAL 
DATA 


Figure 3-1, Activities and Data Inputs to Flight Safety Criticality Assessment 


The steps in this process are discussed in greater detail in the following 
sections, 


3.1 FUNCTIONAL ANALYSIS 


Functional analysis entails the systematic identification of the relationships of 
hardware to the functions performed by the aircraft and documented in the aircraft 
technical orders. Tabulated for each aircraft function are the equipments necessary 
for its performance as well as all outputs required for other systems. The complexity 
of the functional interdependencies of an aircraft requires the use of a systematic 
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accounting procedure, as discussed below, to assure that all relationships have been 
identified and that no functional paths have been overlooked. 


Certain top-level functions (comprised of both "primary" and "major" functions) 
have been defined as applicable to all aircraft types, and serve as the starting point 
for a safety analysis. Figure 3-2 lists these top level functions with the primary func- 
tion of Flight Control expanded to show its typical major functions. Below the major 
function level, differences in aircraft types result in function identification and struc- 
turing specifically suited to cach aircraft. In Figure 3-2, for instance, the major 
function Roll Control is subdivided into Left Roll and Right Roll, and further into 
aileron and spoiler actuation subfunctions. This structure is that applicable to an I-.| 
aircraft, in which ailerons have an extremely limited upward travel and lift is pri- 
marily lost through spoiler operation. Finally, each item in the aircraft WUC ("-06") 
manual is identified with respect to the function it performs. * 


Every function and every WUC included in the model receives an "alpha 
designator" unique to that aircraft model. Due to the large number of alpha desig- 
nators required in a model, an indenturing system is utilized to prevent duplication. 
However, the location in the hierarchical structure and the number of characters in 
the alpha designators are often independent, since such correlation is not necessary 
for subsequent computer processing. 


The functional relationships from the system diagram, and identification of the 
equipment necessary for each function, are next documented in an 80-column punch- 
card format (see Appendix C). The total functional diagram for the aircraft is then a 
compilation of the system diagrams, with one punchcard for each functional link. 


With the aircraft functions completely documented, the functional paths by which 
a piece of equipment contributes to the operation of the aircraft can be identified by 
computer. Performing the path-identification/documentation task by computer proves 
to be not only useful but necessary — the human analyst could neither keep track of nor 
assign sensitivity values to all functional paths. The machine processing capability 
allows the analyst to consider only one functional link at a time. The ability to follow 
all of the functional interrelationships within the aircraft, which is necessary for 
meaningful assessment of safety, is then provided by the computer. 


3.2 MAJOR-FUNCTION SENSITIVITY ASSIGNMENT 


3.2.1 Assignment Method 


As stated earlier, the sensitivity of a function or equipment item is an estimate 
of the probability that its failure will cause an accident. From functional analysis of 
the aircraft under consideration, major functions are identified and are assigned 
sensitivity values for each phase of the mission. 


*Certain WUC items in the "-06" manual may not be included in the safety model, 
these items being either 1) climinated by TCTOs; 2) purely structural items in the 
11000 series; 3) necessary only for survivability or ejection; 4) of lower indenture 
than the LRU level, where computer data screening climinates failure reports. 
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The relative importance of primary functions, major functions, and functions is 
not necessarily constant throughout a flight. The failure, for cxample, of one enginc 
of a multi-engine aircraft is far more critical on takeoff than it is during the rest of 
the flight, and is of relatively little importance during startup and taxi. To accommo- 
date this variability of importance, the mission of an aircraft is divided into nine flight 
phases: 


1. Startup and taxi 
Takeoff 


3. Ascend (climb-out) 
4. Cruise, outbound 


to 
° 


5. Intercept or tactical phase 
6. Cruise, inbound 

7. Descend 

8. Land 

9. Taxi and shutdown 


These phases are illustrated in Figure 3-3. 


TACTICAL PHASE 


CRUISE -OUT 


CRUISE -RETURN | 


Figure 3-3, Phases of Aircraft Mission 


Sear 


| 
| 
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A sensitivity value is assigned for each of the phases, and represents the hest 
estimate of the likelihood that the aircraft will enter a hazardous mode if the function 
is not present in that phase. The numerical values assigned are proportional rather 
than absolute, and range from 0.0 to 1.€. The keypunch card format limits this 
assignment to increments of 0.1. Increments smaller than 0.1, when required, were 
assigned by defining a quasi-function for insertion between the major function and its 
dependent primary function, 


3.2.2 Link Dependency Assignment 


"Link dependency" is defined as the probability that the loss of a function will 
result in the loss of a dependent function, (For a more detailed discussion of this 
term, see Appendix B.) The assignment of link dependency values requires knowledge 
of the operation of specific aircraft because it is concerned only with functional levels 
below the "major" category. At this lower level, no evaluation is made of the impact 
on flight safety of the loss of functions. Instead, the effect of the loss of one function 
on the perfarmance of another function becomes the evaluation criterion. Like 
sensitivities, link dependency values are assigned in increments of 0.1. Additionally, 
the method of attenuation used in assigning sensitivity values can also be applied to 
link dependencies. 


3.2.3 Provisory Factors 


The sensitivity of major functions with respect to aircraft safety, and at the 
lower levels the link dependency between functions, can be dependent on external 
influences and aircraft operating conditions, To accommodate these external influ- 
ences, a Set of provisory factors has been identified. An example would be a wind- 
shield anti-ice system, which has a safety sensitivity close to 1.0 during landing 
under icing conditions but a negligible effect on a dry, warm day. 


Under such circumstances, the procedure is to assign the ''worst case" value 
(assuming the condition exists). During model exercise the likelihood that the condi- 
tion exists can be "'read-in", thereby allowing the sensitivity value to be assigned by 
the computer based on the likelihood of the condition and the probability that the higher 
level function will therefore be lost. Table 3-1 lists the standard provisory factors 
used in FSPT models. 


3.2.4 Computer Processing 


Documentation of a flight safety analysis by ARINC Research thus consists of 
functional diagrams, coded functional tabulations, a functional data processing card 
deck, and a machine-prepared printout of the card deck data. Under this contract, 
the documentation is then sent to San Antonio Air Logistics Center for review by 
MMER personnel and representatives of the Air Logistics Center responsible for the 
particular aircraft (if other than SA/ALC). 


SA/ALC processes the functional data card deck utilizing a number of com- 
puterized operations. First, a functional deck edit is accomplished to identify certain 
format or logic errors that may exist. Next, a path identification/documentation run 
is made that traces all possible paths associated with each function and calculates the 
numerical sensitivities by flight phase down to the WUC level. Then, a path combi- 
nation run is made taking into account the dependence of more than one major function 
on a particular WUC. Finally, failure information from the 66-1 data system and 
numerical factors for provisory conditions are input and a WUC criticality list by rank 
order is gencrated by the computer. 
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TABLE 3-1, PROVISORY FACTOR CODES 


Provisory Condition 


Icing conditions 


Adverse speed/altitude operations (Helicopter) 


Runway stopping distance/confined area (Helicopter) 


Night operation 


oe anne 


E IFR conditions 
F Supersonic flight 
G Rain 

H Solo flight 


Loss of function for which indication is provided 

Normal system failed i 
Flame-out 

Fire 

Cold weather 

One of three available units is required 
Two of three available units are required 
One of four available units is required 
Two of four available units are required 


Three of four available units are required 


Four of eight available units are required 


pe si 
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An additional product generated by the computer is 1 two-part criticality trend 
analysis, Part I contains the criticality rankings and linear regression analysis by 
WUC for the previous 12 months. Part II contains plots of the criticalities and 
regression lines for the 25 WUCs top-ranked according to safety criticality. 


3.2.5 Model Maintenance 


Each time an aircraft type for which a safety model has been developed under- 
goes a modification, the effects of the changes on the model must be evaluated. Tech- 
nical order and WUC revisions must be incorporated into the model. Removal of 
existing hardware, the installation of new hardware, or design improvements may 
change link dependencies and sensitivity assignments, The update procedure should 
follow the same general steps as outlined for the initial analysis effort, 


Existing block diagrams and a printout of the functional card deck form the 
baseline for change identification. Functional relationships should be reviewed to 
determine the impact of changes on the documented safety analysis. Diagrams should 
be revised to reflect functional differences, WUC changes should be noted, and all 
differences listed on a flight-safety functional tabulation sheet. The functional deck 
printout can be used for manual indication of what the changes are and where they 
occur. New data cards are prepared and the functional deck updated by the removal 
of obsolete cards and the insertion of new cards. From this point on, the computer 
is again utilized to edit the functional deck, perform path identification ‘documentation, 
and calculate sensitivities for each WUC. 


Block diagrams and other affected portions of the specific aircraft safety 
analysis report should be updated and revised pages issued that reflect these changes. 
Maintaining an accurate and updated model is important to obtaining an accurate 
assessment of the safety significance of hardware failures. 
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4 
C-141 MODEL DEVELOPMENT 


The FSPT model for the C-141 aircraft was begun in December 1972. The total | 
aircraft documentation was submitted for 'GO-95"' computer edit at SA/ALC in 
May 1973. | 


The aircraft flight manual and maintenance technical orders provided the infor- 
mation on aircraft system operation, The model developed represents C-141 aircraft 
configured to the latest time compliance technical orders (TCTOs) documented in the 
manuals supplied by SA/ALC. Table 4-1 lists the manuals and their revision status 
applicable to the developed model. 


TABLE 4-1. C-141 SYSTEM DOCUMENTATION 


1C-141A-1 Flight Manual Change 15, 1 February 1973 


1C-141A-1-1 Performance Data Change 8, 1 May 1972 


1C-141A-2-2 Ground Handling, Change 11, 1 May 1972 
Servicing, and Aircraft 


Maintenance 


Pneudraulics Change 9, 1 May 1972 


1C-141A-2-3 


1C-141A-2-4 Power Plant Change 4, 15 February 1972 


1C-141A-2-5 Fuel System Changed 15 April 1971 


1C-141A-2-6 Instruments Change 12, 1 May 1974 


1C-141A-2-7 Electrical System Change 10, 1 May 1972 


1C-141A-2-9 Flight Control System Change 11, 1 May 1972 


1C-141A-2-12 


Landing Gear Change 8, 1 May 1972 


1C-141A-06 Work Unit Code Manual Basic, 1 December 1972 


Because of the vulnerability of the functional logic/sensitivity documentation to 
such errors as omission of links, duplication of cards, and incorrect keypunching, 
quality reviews were conducted at various critical points in the model development. 

In addition to keypunch verification, each card was checked against the functional link 
shown on the original rough draft and the final functional diagram and the diagrammed 
link was checked off. Missing or duplicated functional links were thus identified. 
Work unit codes used in the model were checked off against the WUC manual to assure 


completeness. 


The quality reviews were first conducted prior to computer verification of the 
aircraft deck by SA/ALC. Following computer verification, a second quality review 
was performed by representatives of Warner Robins ALC and ARINC Research, 
Finally, the first criticality printout obtained from application of actual aircraft data 
was reviewed to identify any terms whose sensitivity appeared to be unreasonable. In 
such cases the paths were traced manually and changes made if an erroneous relation- 


ship was found, 


Appendix C presents the methods and standard used in documenting an FSPT air- 
craft model. Appendix D presents the FSPT documentation for the C-141 aircraft. 
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HISTORICAL SUMMARY. OF FSPT 


In 1965, the desirability and practicability of quantifying the significance of 
specific equipment malfunctions relative to flight safety was explored in a feasibility 
study conducted by ARINC Research Corporation for the Air Force. The feasibility 
of a safety-quantification approach, which has subsequently become known as Flight 
Safety Prediction Technique (FSPT), was demonstrated; and the method was developed 
and refined in a series of studies, as follows: 


Study 
Phase Subject/Date Sponsor*/Publication No. 
I Feasibility Study, Sacramento Air Materiel Area (SMNE), 
September 1965 to Contract AF09(603)62335, SM-67-2; 
June 1967 (Pnase J) publication 705-01-1-777 
II-A Technique Development, San Antonio Air Materiel Area (SANEW), 
October 1967 to Contract AF09(603)-67-A-0267-SA01; 
July 1968 (Phase II-A) publication 734-01-1-895 
II-B . Technique Development, San Antonio Air Materiel Area (SANEW), 
July 1968 to July 1969 Contract F09(603)-68-A-0317-SA01; 
(Phase II-B) publication 754-01-1-985 (Revision 1) 


FSPT System Documen- San Antonio Air Materiel Area (MMER) 
tation for the F-4C and Contract F41608-71-C-0576; 

T-37 Aircraft, October publication 697-01-1-1118 

1970 to June 1971 


In the Phase II-B study, the FSPT was applied to the F-106 aircraft. Con- 
current with Phase II-B, the U.S. Naval Safety Center contracted ARINC Research to 
extend the methodology to produce a flight safety criticality model for the F-4J air- 
craft, The results of this effort are documented in ARINC Research Publication 
753-01-3-982 (Revision 1). 


In 1970, ARINC Research was contracted to develop suitable input data to per- 
mit the application of the technique to the T-37 and F-4C aircraft. These data were 
derived in the form of mathematical model functional documentation as input to the 
basic computer program developed and applied to the F-106. 


In 1972, ARINC Research Corporation was awarded a contract, with the sub- 
sequent modifications in 1973 and 1974, to apply the Flight Safety Prediction 
Technique to 15 aircraft, working jointly with cognizant Air Logistics Centers. Air- 
craft to which the FSPT has been applied under this latter contract (F09603-72-A- 
1132-SA01) include: 


a. T-38 


b. F-111A and FB-111A 


*The office symbols of Service Engineering at the Sacramento and San Antonio Air 
Materiel Areas are now SM/ALC/MME and SA/ALC/MME, respectively. 
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ec. A-7D 


d. F=4D, E; RF-4C 


e. C-141 

f.  A-37 | 
g. O-2 
h. OV-10 
i. B-52G, H 
j.  C-130E 
k. KC-135 ! 
1. C-5A | 
m. T-39 
n, F-15 


o. UH-1N Helicopter* 


*Feasibility study of adaptation of WSPT to rotary-wing aircraft. 
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FORMULATION OF CRITICALITY-ASSESSMENT TECHNIQUE 


To implement the basic safety model defined in Section 2.2, it is necessary to 
develop a submodel for the probability that a malfunction in element j during mission 
phase k will result in an accident, This submodel in turn requires that we estimate 
two parameters: the probability of accident if a major function is not available during 


each mission phase, and the dependence of the major function on element j during each 
mission phase, 


The first parameter is termed "functional sensitivity" and is estimated for each 
major function, The functional analysis performed in this task established for an 
aircraft the following hierarchal scheme: 

Aircraft 

Primary functions 

Major functions 

Function 


Elements (Work Unit Codes) 


A primary function would be one such as Flight Control. Major functions under 
Flight Control would include Pitch Control and Yaw Control. 


The second parameter, "link dependency," is a vehicle for showing the influ- 
ence of each functional-path element on the performance of a major function. For 
example, if the major function being considered is External Lighting, the following 
diagram illustrates the nature of functional sensitivity and link dependency values. 


Landing External 
Lights Lighting 


0. 8* 


* Link dependencies 
*Functional sensitivity 


The 0.8 value means that failure of the Control function will result in joss of the 
Landing Light function 80% of the time. The 0.1 functional sensitivity value denotes 
that loss of external lighting will result in an accident 10% of the time. The values 
must be interpreted in a proportional sense, in that the actual accident probability is 
dependent upon external factors (see Section 3, 2.3). 
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The remainder of this appendix discusses the procedures and model used to 
obtain element sensitivities; e.g., in the above example, the accident probability 
given that a Work Unit Code in the Control function malfunctions. 


Three principal types of functional relationship--series, redundant, and 
parallel--were identified as representing the major forms to consider in modeling 
element sensitivity. 


Series Relationship — A function having only one input. Schematically, 


iF 
if 


which indicates that outside of its own elements, the success of function B is only 
affected by the success of function A. 


Functional Redundancy — A function having one or more backup functions that 
can provide the required Inputs to successor functions. Schematically, 


where A, and Ag represent a functional redundancy in that either may provide the 
necessary input to B. 


Parallel Functions — Two or more functions independent of each other in terms 
of functional success, but cach of which may be required for a successor function. 
Schematically, 


B will generally require both Ay and Ag; but Ay ~<¢s not depend on Ag, nor does 
Ao depend on Ay. 


In some cases the distinction between functional redundancy and parallel paths 
is very slight, and may depend on mission phase. for example the four engines of a 
plane can be considered to be a redundant configuration providing inputs to the pri- 
mary p. pulsion function during cruising, but would generally be considered to be 
parallel functions during takeoffs requiring full power. 


In general, given a schematic relationship of the form, 


we can say that A and B are in a functionally redundant configuration if the success 
probability of C is the same if 1) A and B are successful, 2) A only is successful, 

or 3) B only is successful. If, for example, C is more likely to be successful if both 
A and B are successful, rather than A or B alone, then the relationship is one of 
parallel paths. 


It is noted that the model will also account for element redundance and parallel 
elements through inputs such as P(A|ig ), representing the probability that the Ath 
function fails given that the ig! th ejement in A has failed. If ig is a parallel element, 
the probability would depend on mission requirements and other parallel-element 
states. 


Link dependency is the conditional probability of a functional failure, given the 


failure of immediate predecessor functions. The link dependencies applicable to the 
three basic designs defined above are shown below. 


Series Relationship 


Link dependency = P(B|A) = probability that B fails given that A fails. 


Functional Redundancy 


equivalent to 


rFemeeerwrwewe eae ee 


where B = BB, 


Parallel Functions 


P(B, 1A) P(CIB, B,) 


P(B, 1A) P(C |B, B 


We shall generally assume that the dependencies of B, with respect to A, and of 
Bg with respect to A, are independent of each other, so that 


P(B,B,|A) - p(B, |A)P(B, IA) 


We then can consider three link dependencies from A to B as follows: 


P(B,B,|A) 


noting that 


P(B,|A) = P(B, BJA) + PCB, BA) 


i 


P(B,|A) - P(B,B,|A) + P(B,B,|A) 


Models are shown below for determining the sensitivity of elements within a 
function for each of the three basic designs. The following basic assumptions apply: { 


a. Except for cases where an element has a redundant or parallel counterpart 
or is located in a function with a redundant or parallel function, only the 
element under consideration shall be assumed to have failed initially. Thus tq 
the expression P(4|i,), representing the accident probability given failure 
of the ith Work Unit Code element, is based on the assumption that no other 
element has failed unless element i is in some redundant or parallel con- 
figuration. For cases in which there are redundant or parallel counter- 
parts, failures of such counterpart elements or functions are considered in 
accordance with their occurrence probabilities. 


b. The success of all immediate predecessors ensures the success of a func- 
tion, provided that the function experiences no element failures. Thus for 
the series function relationship 


ete 


we assume 
P(BIA) 0, 

} 
provided B experiences no element failures. If an element in function A | 
is under consideration, the latter provision is always true by assumption j 
a" 

if 

} 

{ 


The element sensitivity models are: 


Series Relationship 


P(Alig) = P(Alig) P(BIA) P(C|B) PAI C) 


Functional Redundancy 


Pali.) = P(A |i,) (BIA) (CIB) PUAIC) 
Pili») = P(B, | t,, ,)P(Bp) P(C|B) PAC) 


Parallel Functions 


P(Ali * {P(BC| A) P(DIBC) + P(BCI|A)P(D|BC) 


PiAli,) 


» P(BCIA)P(D| BC) } PAID) 


Pili) = P(BIi,) { PC li.) PDI BC) ' P(C | i,,) P(DIBC) } PuAlD) 


A case not explicitly incuded in the above three basic functional relationships is 
one for which a function is in two paths, e.g., 


then 


P(A|i,) ~ P(Cli,) P(BLi,) PAICB) ' P(C |i, ) P(BIi,) P(AICB) 
+ P(C1i,)P(BIi,) {1 - PIC) PAB} 


where it is assumed that the effects of loss of the major functions in accident occur- 
rence are independent of each other. 


Use of Numerical Provisory Factors for Partially Redundant Systems 


The numerical provisory factors (see Table 3-1) are used where more than two 
identical functi.. are involved in a redundancy. For example, aircraft with more 
than two engines often have identical and independent systems for hydraulic pressuri- 
zation, and for electrical power generation, one driven by each engine. If the aircraft 
can be operated safely with one or more of such systems in a failed state, one of the 
numeric codes is utilized in assigning link dependency values. Consider, for example, 
the following: 


If N identical and independent units* are available and at least M are required 
for safe operation, where 0<M<N, then the provisory factor of a given unit, say Uj. is 
the probability that the failure of U; will cause the aircraft to enter an unsafe state. 
This is the probability that exactly M-1 of the remaining N-1 units will be in an 
unfailed state. This probability can be calculated by the formula for the binomial dis- 
tribution, and is given by 


_ (N-1), (M-1)_ (N-M) 
P(U)) (Mea)? q 


where P(Uj) = probability that failure of the jth unit will cause the aircraft to enter 
an unsafe state, and 
M = Number of units required 
N = Number of units available 
p = Probability that a single unit will be in an unfailed state 
q Probability that a single unit will be in a failed state or (1-p) 


*Units may be either elements, element assemblies, or functions. 
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Assignment of link dependencies to N identical and independent units of which 
only M are required proceeds as follows, The value assigned to each unit is the 
dependency of the higher level function on receiving an output from M of the units 
(usually 1.0). The provisory factor is the appropriate numeric code. In the evaluation 
of the path sensitivity, the computer is programmed to select the binomial formula that 
corresponds to the provisory factor listed. 
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FSPT DOCUMENTATION METHODS 


Because of the extreme complexity of aircraft, it is necessary to develop a 
computerized method to identify and document all possible paths associated with each 
function as well as to determine the safety sensitivity associated with each path. A 
computer routine has been devised that takes the data from the functional card deck 
and traces and documents all paths. For each WUC, it also computes the flight-phase 
sensitivities for each path in which the WUC is present. The resulting computer 
printout provides a combined functional path sensitivity. 


C.1 ALPHA CODING 


As each system of the aircraft is functionally diagrammed, the functional blocks 
are assigned an "alpha code''. This code aids the analyst in the bookkeeping tasks of 
functional diagramming and provides the computer with an identification of the ele- 
ments to be processed. For standardization among aircraft, nine top-level functions 
have been defined and each has been assigned an initial or first-alpha designator. 
Each block in the functional diagram carries the same initial alpha as the top level 
function. Subsequent letters added to the initial alpha uniquely identify each block. 


The only restrictions placed on the assignment of alpha codes are that: 


a. All characters in a code must be a letter of the alphabet, and 


b. The maximum number of characters in one code is seven. 


C.2 ALPHA CODING AND COMPUTER PROGRAM COMPATIBILITY 


Additional rules for alpha coding required to obtain the desired results from 
computer processing include: 


a. When a WUC item operates in the same mode to perform more than one 
function, the same alpha code is used in each application. 


b. When a WUC item operates in a different mode to perform each of more 
than one function, a different alpha designator is assigned for each 
operating mode. 


C.3 FUNCTIONAL TABULATION , 


The "Flight Safety Functional Tabulation" sheet is used to code the safety model 
for keypunching. The sheets are coded as follows (refer to Figure C-1) for an 
example). 


a. Columns 1 through 3. Used to identify the aircraft represented by the 
model. For certain aircraft modeled under this contract more than one 


model — designation series MDS — was included. For instance, a single 
functional deck was created for four MDSs of the F-4 aircraft. Cards 
with "F4''* in columns 1-3 were common to all aircraft. For example, 
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m. Columns 72 through 80. Contain functional dependencies for each of 


when these cards are combined with those carrying 'F4E" in columns 
1-3, then it produces an F-4E FSPT model deck. 


Columns 4 through 31. Contain the title of the function or the WUC item. 
Columns 32 through 36. Contain the left-justified WUC number. 


Columns 37 and 38 Blank 


Columns 39 through 46. Contain the assigned alpha designator for the 
function and/or the WUC. Column 39 contains either an L or an R, or is 
blank. The L and R designate left and right for those instances when the 
function and/or WUC pertains to the left or right side of the aircraft. 


Columns 47 and 48. Blank. 


Columns 49 through 55. Normally left blank, but are used after a deck 
is operational to substitute the data on a card for that stored in the com- 
puter by punching the line record number in this field. 


Columns 56 through 63. Identify the dependent functions for either 
the function or specific WUCs being coded. Column 56 may contain 
L, R or blank for the same purpose as that of column 39. 


Column 64. Contains the alphanumeric code of the "provisory factor" 
applicable to the link value assigned, 


Columns 65 through 69, Contain the alpha designator of a function that is 
an alternate for the function being coded. (Column 65 is used for "L" or 
"R" as in Column 39.) The presence of the "alternate alpha" flags the 
importance of the link dependency as being affected by the success 
probability of the alternate function. 


Column 70, Contains the work unit code dependency value (1 0.10; 
2- 0.20;....A 1.0). This value is applicable to all flight phases. 


Column 71. Contains special instructions to the computer through the 
use of letters F, S, or being blank, Cards with an "S" or "blank" in 
column 71 are used in sensitivity computations, Cards with an "F" 
document a functional relationships which, although present in the sys- 
tem, would produce an erroneous sensitivity value when combined with 
other nonindependent paths (iiaving the same function in common at some 
higher level). The "F" prevents the computer from including the link in 
the sensitivity calculations. 


nine flight phases as described in Section 3.2.1 of the text. Coding is 
the same as for column 70. 


The diagrams produced under the contract document the functional inter- 
relationship of the aircraft systems considered in the model. In the interest of extend- 
ing the useful life of the diagrams, WUC items are not shown, thereby eliminating the 
necessity of updating the diagrams with each (and sometimes frequent) change to the 
WUC manual. 


| 
| 
C.4 DIAGRAM CONSTRUCTION | 


As discussed carlier in this report, the diagrams represent the hierarchal 
structure of the paths from which the sensitivity values are derived. The diagrams, 
although consistent with the system schematic and reliability block diagrams, are not 
equivalent due to this hierarchal method of documentation. In the actual system, 
signals and/or fluids pass from one component to the next and are thus documented in 
schematics; conversely, the hierarchal approach only identifies the components that 
must operate to achieve a given function, independent of the direction and/or sequence 
of signal flow. This approach directly addresses the system impact of a component 
failure without the necessity of identifying the intrasystem secondary failures. Each 
line connecting functions on the diagram is documented by a punchcard, with the lower 
function providing the "alpha designator" and the higher function's alpha designator 
indicator as the "dependent function", * 


*The card deck also documents functional relationships not shown on the diagram; 
the work unit codes (mentioned earlier) and the "S" cards discussed in 
paragraph C. 3.1. 
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FSPT DOCUMENTATION OF C-141 AIRCRAFT 


This appendix contains the functional relationship diagrams and a listing of the 
keypunch cards that comprise the C-141 aircraft FSPT safety model documentation. 


D.1 DIAGRAMS 


The diagrams illustrating the functional relationships considered in the C-141 
safety model will be found on pages D-5 through D-33, and are listed below: 


Diagram Page 
Propulsion 


Propulsion/Engine 
Propulsion/Engine 
Propulsion/Fuel Feed 1, 2 
Propulsion/Fuel Feed 3 
Propulsion/Fuel Feed 4 


Communications /Navigation/Identification 


Comm/Nav/Ident 
Steering Solutions 
Approach & Landing Aids 


Information and Displays 


Info & Displays 
Warnings 


Environmental Control 


Environmental Control 
Air Temp, Pressure Control 


Flight Control 


Flight Control 

Lift Augmentation 
Yaw Control 

Pitch Control 

Roll Control 

Flight Speed Control 
AFCS 

Stall Prevention 


ee Ne ee Be ec 
BAIA kKWN eH 


Ground Control 


Ee Oo 
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1 
a 


Landing Gear 


Mission Support 


= 
ps 


Diagram Page 


Utilities 


Main AC Power UA-1 D-28 
AC Power Generation UA-2 D-29 
Multifeed AC Power UA-3 D-30 
DC Power UB-1 D-31 
Hydraulics UH-1 D-32 
Air Data Computer UK-1 D-33 


D.2 CARD LISTING 


Pages D-35 through D-140 are a reproduction of the punchcard listing. The list- 
ing is alphabetical by "alpha designator," and the format is that of the 80-column 
punchcard itself as described in Appendix C. 
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